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Abstract:  This  paper  presents  the  implementation  and 
evaluation  of  ATPG  attack  on  hybrid  custom- 
programmable  circuits.  While  functionality  of 
programmable  cells  are  only  known  to  trusted  parties, 
effective  techniques  for  activation  and  propagation  of  the 
cells  are  introduced.  The  ATPG  attack  carefully  studies 
dependency  of  programmable  cells  to  develop  their 
(partial)  truth  tables.  Results  demonstrate  the  capabilities 
of  the  ATPG  attack. 
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Introduction 

The  widely  practiced  horizontal  integrated  circuit  supply 
chain  exposes  a  design  to  various  types  of  attacks  including 
the  reverse  engineering  attack.  The  reverse  engineering 
(RE)  attack  aims  to  obtain  the  detailed  design 
implementation,  and  it  may  take  different  forms  [1].  To 
protect  a  circuit  against  the  RE  attack,  new  design 
techniques  such  as  split  manufacturing  [2],  camouflaging 
[3],  and  hybrid  STT-CMOS  circuits  [4]  have  been 
proposed.  Hybrid  STT-CMOS  circuits  combine  custom  and 
programmable  cells  to  hide  the  functionality  of  certain 
number  of  gates. 

To  reverse  engineer  circuits  that  integrate  unknown 
gates  such  as  camouflaged  circuits,  the  RE  attack  based  on 
satisfiability  (SAT)  has  been  also  investigated  [5].  While 
the  effectiveness  of  SAT-based  attacks  becomes  limited 
when  the  size  of  circuit  and  the  number  of  possible 
identities  increase  [5],  this  paper  investigates  the  capability 
of  the  automatic  test  pattern  generation  (ATPG)  attack  on 
circuits  that  are  composed  of  known  and  unknown  logic 
gates  such  as  camouflaged  circuits  and  hybrid  STT-CMOS 
circuits. 

To  determine  the  functionality  of  an  unknown  logic 
gate  ( m ),  the  ATPG  attack  is  to  develop  m’s  (partial)  tmth 
table.  This  requires  test  pattern  application  to  set  inputs  of 
m  to  different  input  combinations  (the  rows  of  tmth  table) 
and  to  propagate  the  output  of  m  to  some  primary  outputs. 
This  work  introduces  a  platform  for  an  automated  ATPG 
attack  that  can  be  executed  by  any  ATPG  tool  without  need 
for  a  high-level  of  IC  testing  knowledge.  To  evaluate  the 
effectiveness  of  the  ATPG  attack  in  practice,  it  is  being 
applied  to  hybrid  combinational  STT-CMOS  circuits  [4]. 
The  contributions  of  this  work  are:  (1)  introducing  the 


ATPG  attack  model,  (2)  studying  activation  mechanisms 
for  unknown  gates  based  on  the  stuck- at  fault  model,  (3) 
analyzing  challenges  for  propagating  the  output  of 
unknown  gates  to  some  observation  points,  and  (4) 
proposing  a  platform  to  evaluate  the  resiliency  of  a  circuit 
against  the  ATPG  attack. 

The  ATPG  Attack  Model 

The  attacker  applies  a  set  of  test  vectors  to  the  circuit  and 
observes  its  output(s).  The  attacker  hopes  to  resolve  the 
hybrid  circuit  by  analyzing  input  and  output  pairs.  The 
ATPG  attack  model  assumes:  (1)  an  attacker  has  the  netlist 
of  unresolved  hybrid  custom-programmable  circuit,  (2)  the 
attacker  obtains  a  configured  hybrid  custom-programmable 
circuit  (the  blackbox  circuit),  and  (3)  the  attacker  generates 
a  set  of  patterns  and  applies  it  to  the  blackbox  circuit. 

It  is  not  difficult  for  an  attacker  to  obtain  the  netlist  of 
unresolved  hybrid  custom-programmable  circuit.  For 
example,  an  untmsted  manufacturer  directly  obtains  the 
circuit  from  the  design  house.  When  the  circuit  is 
manufactured  and  released  to  the  market,  the  attacker  can 
directly  order  one  that  is  configured  by  the  design  house  or 
a  trusted  vendor,  as  well.  This  circuit  serves  as  a  blackbox 
circuit.  Having  the  unresolved  netlist  and  its  blackbox 
counterpart,  the  attacker  generates  a  set  of  test  patterns  by 
analyzing  the  unresolved  netlist  and  applies  it  to  the 
blackbox  circuit.  Then  the  attacker  processes  input-output 
vectors  to  resolve  the  unresolved  netlist. 

In  the  ATPG  attack,  the  attacker  is  to  obtain  the 
(partial)  truth  table  of  each  unknown  logic  gate.  If  all  rows 
of  truth  table  are  obtained,  the  programmable  logic  gate 
becomes  resolved  and  known.  Otherwise,  a  pool  of  possible 
logic  gates  (candidates)  that  match  the  partial  truth  table  is 
obtained.  In  such  a  case,  the  attacker  may  select  one  of 
candidates  and  then  target  the  remainder  of  unknown  logic 
gates. 

To  develop  the  truth  table  of  a  programmable  gate  (or 
called  a  missing  gate),  the  ATPG  attack  needs  to  set  the 
gate’s  inputs  to  different  combinations  and  to  propagate  its 
output  to  an  observation  point.  A  missing  gate  can  be 
highly  correctly  determined  if  it  is  independent  from  any 
other  missing  gates.  On  the  contrast,  it  may  not  be  possible 
to  obtain  the  complete  truth  table  of  a  dependent  missing 
gate,  and  even  the  obtained  partial  truth  table  may  not  be 
necessarily  correct  as  it  is  based  on  the  assumption  that 
some  other  dependent  missing  gates  are  resolved  correctly. 
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Resolving  an  unknown  logic  gate  consists  of  two  main 
steps,  namely  activation  and  propagation,  and  Figure  1 
presents  the  overall  ATPG  attack  flow. 


Activation  for  the  ATPG  Attack 

Controllability  of  inputs  of  a  missing  gate  through  primary 
inputs  for  activation  is  determined  by  its  dependency  to 
other  missing  gates  and  can  be  categorized  into:  Full 
Controllability,  Partial  Controllability,  and  No 
Controllability.  Full  controllability  for  a  missing  gate  is 
defined  as  the  existence  of  no  missing  gate  in  the  fan-in 
cone  of  the  missing  gate  (referred  as  FullCtrlCSE  in  Figure 
1).  For  a  full-controllability  missing  gate  with  |/|  number  of 
inputs  and  \0\  number  of  outputs,  there  are  at  most  2|71+|01 
combinations  that  need  to  be  examined  to  correctly 
determine  its  functionality.  For  example,  Figure  2  verifies 
whether  the  output  of  a  2-input  missing  gate  is  0  by 
replacing  it  by  an  AND  gate  whose  inputs  are  inverted  and 
considering  the  stuck-at  0  (saO)  at  the  output  of  AND  gate 
(the  ANDOO  case).  Dependency  between  missing  gates 
limits  their  controllability.  In  the  partial  controllability  for  a 
missing  gate,  some  input  signals  of  a  missing  gate  are 
driven  by  some  other  missing  gates  while  its  other  inputs 
are  yet  accessible  through  primary  inputs  (referred  as 
PrtCtrlCSE/PtrSwCtrlCSE  in  Figure  1).  For  example, 
Figure  3  presents  a  case  with  two  missing  gate  and  mj 
where  one  input  of  is  driven  by  my.  To  determine  the  row 
“IX”  for  m? s  truth  table  (X  represents  don’t  care),  the 
missing  gate  is  replaced  by  an  OR  gate  whose 
controllable  input  is  inverted  with  a  stuck-at  1  (sal)  at  that 
input  (the  ORIX  case).  If  all  inputs  of  a  missing  gate  are 
driven  by  some  other  missing  gate,  the  missing  gate  holds 
no  controllability,  it  cannot  be  resolved. 

In  general,  if  any  inputs  of  a  missing  is  controllable, 
the  ATPG  attack  replaces  the  missing  gate  with  a  specific 
case  to  apply  a  specific  input  combination  to  the  inputs  of 
missing  gate. 

Propagation  for  the  ATPG  Attack 

The  main  challenge  in  propagation  of  the  output  of  a 
missing  gate  to  a  primary  output  is  the  existence  of  some 
other  missing  gates  in  its  fan-out  cone.  To  address  the 
challenge,  the  attacker  needs  to  find  a  clean  path  defined  as 
a  path  that  is  not  passing  through  any  other  missing  gate  nor 
reachable  by  any  other  missing  gate.  In  large  circuits  with 
gates  with  multiple  fan-out  branches,  the  number  of  paths 
exponentially  increases.  This  would  require  considerable 


storage  and  processing  time  to  determine  clean  paths.  To 
address  these  challenges,  obtaining  clean  paths  can  be 
broken  in  two  steps:  (1)  clean  primary  outputs,  and  (2)  path 
direction.  A  clean  primary  output  is  defined  as  a  primary 
output  that  contains  no  missing  gates  but  a  target  missing 
gate  (mi)  in  its  fan-in  cone.  Path  direction  is  to  determine  if 
a  clean  path  inverts  the  output  of  the  target  missing  gate  or 
not. 


Figure  3.  Partial  controllability  (The  ORIX  case). 


After  defining  a  stuck-at  fault  at  the  output  of  a 
missing  gate  (being  done  at  the  activation  phase),  an 
attacker  can  check  the  clean  primary  outputs.  If  any  of  these 
primary  outputs  reflect  the  fault,  it  means  the  output  of 
missing  gate  reaches  to  this  primary  output.  If  the  fault  at 
the  output  of  missing  gate  is  stuck-at-O(l)  and  the  primary 
output  also  reports  stuck-at-O(l),  the  clean  path  from  the 
missing  gate  to  this  primary  output  is  not  inverting; 
otherwise,  the  clean  path  is  inverting. 

For  example,  if  my  is  the  target  missing  gate  in  a  circuit 
shown  in  Figure  4,  the  following  propagation  paths  for  the 
m7  missing  gate  exist:  Pj  =  {g3,  g5,  g u},P2=  {g3,  gs,  m2, 
gn},  P3  =  {g3,  gs,  m 2,  gi3},  and  P4  =  {g3;  g  14}  •  The  P2  and 
P3  paths  are  not  clean  as  both  contain  the  m2  missing  gate. 
On  the  other  hand  the  P3  and  P4  paths  are  clean  paths. 


Figure  4.  Clean  paths  for  propagation  in  the  ATPG  attack. 
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Results 

The  selection  algorithms  [4]  are  applied  on  the  ISCA’S  85 
combinational  circuits  [6].  The  HOPE  fault  simulation  tool 
[7]  is  used  to  launch  the  ATPG  attack.  While  HOPE  is 
originally  to  generate  patterns  randomly  for  fault  detection, 
proposed  activation  and  propagation  techniques  forces 
HOPE  to  apply  a  specific  combination  of  values  on  the 
inputs  of  missing  gates  and  propagate  the  output  of  missing 
gate  to  some  primary  outputs.  The  limit  of  number  of  try  for 
HOPE  to  detect  a  fault  is  set  to  5000. 


Table  1 .  The  ATPG  attack  on  the  Independent  Selection. 


Circuit 

Name 

#  Missing 
Gate 

Average  No 
Patterns 

Average  Time 
(min:  sec) 

C880 

9 

786.60 

00:20.71 

C1908 

4 

169.10 

00:12.44 

C2670 

4 

550.90 

00.36.75 

C3540 

5 

491.50 

00:29.94 

C5315 

3 

439.20 

00:41.87 

Table  1  presents  results  for  the  ATPG  attack  on 
missing  gates  selected  by  the  Independent  Selection  where 
gates  are  not  reachable  from  each  other  directly  or 
indirectly.  The  results  indicate  there  are  few  circuits  with 
independent  gates,  and  there  are  small  number  of 
independent  missing  gates  in  such  circuits  (#  Missing 
Gates).  Table  1  reports  Average  No  Pattern  and  Average 
Time  after  10  rounds  of  HOPE  simulation.  There  exists  a 
roughly  high  correlation  (~  0.74)  between  #  Missing  Gates 
and  Average  No  Pattern.  Table  1  shows  that,  Average  Time 
is  dependent  on  the  Circuit  Size  (number  of  gate  in  the 
circuit)  and  Average  Pattern,  and  there  is  a  high  correlation 
(~  0.93)  between  Average  Time  and  (Circuit  Size  x 
Average  Pattern). 


Table  2.  The  ATPG  attack  on  the  Dependent  Selection. 


Circuit 

Name 

# 

Missing 

Gate 

# 

Attackable 

Average 

No 

Patterns 

Average 
Time 
(min:  sec) 

C499 

7 

7 

439.90 

09:51.94 

C880 

10 

2 

5516.30 

00:32.60 

C1355 

19 

2 

33.80 

02:29.11 

C1908 

9 

1 

73.50 

03:20.10 

C2670 

9 

2 

38.80 

03:40.81 

C3540 

8 

6 

764.00 

58:54.11 

C5315 

23 

6 

10631.90 

44:35.47 

Table  2  shows  the  results  of  ATPG  attack  on  missing  gates 
selected  based  on  the  Dependent  Selection  (DS)  where  all 
gates  on  a  timing  path  are  replace  with  missing  gates.  In 
this  paper,  only  one  path  in  benchmark  is  constantly 
targeted.  If  there  exists  reconvergence  paths  between  the 
missing  gates  in  DS,  an  attacker  cannot  apply  the  ATPG 
attack  on  all  missing  gates.  Only  missing  gates  that  have  a 
clean  propagation  path  with  full  controllability 
(FullCtrlCSE)  or  partial  controllability  (PrtCtrlCSE)  can  be 


attacked.  In  Table  2,  #  Attackable  shows  the  number 
missing  gates  for  which  either  FullCtrlCSE  or  PrtCtrlCSE 
can  be  evaluated.  Except  the  benchmarks  C499  and  C3540, 
considerable  portion  of  missing  cannot  be  targeted  due  to 
either  lack  of  controllability  or  a  clean  path  for  propagation. 
Average  Time  indicates  that  the  ATPG  attack  takes  longer 
time  for  larger  circuits. 

Table  3  shows  the  results  of  ATPG  attacks  on  missing  gates 
selected  based  on  the  Parametric-aware  Dependent 
Selection  where  some  gates  on  a  timing  path  are  replaced 
with  missing  gates  and  any  gate  driven  by  or  drive  known 
gates  on  the  timing  path  are  replaced  with  missing  gates. 
The  results  indicate  the  existence  of  large  number  of 
missing  gates  (#  Missing  Gate)  while  small  number  of  them 
are  really  attackable  (# Attackable).  While  Average  No 
Pattern  presents  smaller  number  pattern  compared  to  Table 
2  because  of  smaller  attackable  missing  gates,  considerable 
increase  in  Average  Time  is  being  observed. 


Table  3.  The  ATPG  attack  on  the  Parametric-aware 
_ i _ Dependent  Selection. _ _ 


Circuit 

Name 

# 

Missing 

Gate 

# 

Attackable 

Average 

No 

Patterns 

Average 

Time 

(min:sec) 

C432 

11 

2 

35.20 

06:30.54 

C499 

13 

3 

51.30 

13:17.52 

C880 

15 

2 

586.80 

19:13.68 

C1355 

21 

3 

89.80 

79:06.96 

C1908 

22 

1 

1.70 

130:45.66 

C3540 

23 

4 

95.30 

1065:56.94 

C5315 

20 

2 

21.70 

658:05.88 

Discussion 

Assuming  idealistically  any  required  pattern  to  apply  a 
specific  values  on  inputs  of  a  missing  and  to  propagate  the 
output  of  the  missing  gate  can  be  deterministically 
obtained,  we  can  estimate  how  many  patterns  may  take  for 
the  ATPG  attack  to  determine  the  functionality  of  missing 
gates. 

Given  |M|  the  number  of  independent  missing  gates  in  a 
combinational  circuit,  the  minimum  number  of  required  test 
patterns  for  the  ATPG  attack  to  determine  all  missing  gates 
(Nindep)  is  equal  to 

\M\ 

Nindep  ~  ^ 
i-1 

where  a  is  the  average  number  of  required  patterns  to 
determine  an  independent  missing  gate. 

The  value  of  a  is  determined  based  on  the  similarity  of  the 
output  of  the  gates.  For  example,  the  similarity  of  2-input 
AND  gate  and  2-input  NOR  gate  is  2  since  for  two  input 
combinations  they  produce  the  same  output,  and  the 
similarity  of  2-input  AND  gate  and  2-input  NAND  gate  is  0 
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as  their  output  are  completely  opposite.  For  2-input  gates, 
the  average  similarity  of  gates  is  1.45,  so  the  average 
required  patterns  to  determine  a  2-input  missing  gate  (a)  is 
2.45.  For  3-input  gates  and  4-input  gates,  a  is  equal  to  4.2 
and  7.4,  respectively. 

Dependency  between  missing  gates  considerably  increases 
the  ATPG  attack’s  effort.  Given  M  the  number  of  missing 
gates  that  one  input  of  any  missing  gate  is  driven  by  the 
output  of  another  missing  gate,  and  |P/|  is  the  size  of  pool  of 
candidates  for  a  missing  gate  mi,  the  average  number  of 
required  test  patterns  to  determine  all  missing  gates  in  the 
dependent  selection  {Ndep)  is  equal  to 

|M| 

Ndep  —  |  |  &i  *  I  Pi  I 

i= l 

Assuming  the  existence  of  test  patterns  to  apply  different 
combinations  at  the  accessible  inputs  of  missing  gates  and 
to  propagate  the  output  of  missing  gates,  the  size  of  pool 
(\Pi\)  is  2.7,  2,  and  2  for  2-input,  3-input,  and  4-input 
missing  gates,  respectively.  The  value  of  \Pi\  is  obtained 
based  on  the  truth  table  of  gates.  For  example,  by  ignoring 
one  input  of  2-input  gates,  the  truth  table  of  AND  would  be 
similar  to  those  of  OR,  NOR,  and  XNOR  gates.  In  another 
case,  the  truth  tables  of  XOR  would  be  similar  to  NAND 
and  NOR  gates. 

If  missing  gates  are  selected  such  that  all  of  their  inputs  are 
driven  with  some  other  missing  gates,  the  ATPG  attack’ 
effort  exponentially  increases.  A  more  plausible  approach 
for  the  attacker  is  to  launch  SAT-based  attack  or  a  brute 
force  attack.  Given  \M\  the  number  of  missing  gates,  |/| 
inputs  accessible  to  drive  missing  gates,  and  |P|  the  number 
of  all  available  gates  in  a  technology  library  with  the  same 
number  of  inputs  as  a  missing  gate,  the  maximum  number 
of  test  patterns  to  determine  the  missing  gates  in  a  brute 
force  attack  (Nbj)  is  equal  to 

Nbf  =  2'7I  x  |P|IML 
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